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IN THE CLAIMS 

Please cancel claims 1-5 and substitute the following new claims 6-10. 
What is claimed is: 

1 1 . (cancelled) A wide area network using the internet as a backbone, 

2 comprising: 

3 a first dedicated line coupled to a first participating ISX/ISP provider of 

4 internet access; 

5 a source router having a channel service unit having an output coupled to 

6 said first dedicated line; 

7 a source firewall circuit having a first port for coupling directly or through 

8 a local area network to a first device for which communication over said wide 

9 area network (hereafter WAN) is desired, and having a WAN interface coupled to 

I 0 said source router directly or through a local area network, said source firewall 

I I functioning to encrypt the payloads of downstream WAN packets being 

1 2 transmitted via the WAN interface to said source router using any encryption 

1 3 method having a user definable key or keys, and for decrypting the payloads of 

1 4 any incoming upstream WAN packets arriving from said source router via said 

1 5 WAN interface using the same encryption method and user definable key or keys 

1 6 that were used to encrypt the outgoing WAN packets; 
1 7 one or more routers of other participating ISX/ISP providers of internet 

1 8 services including a router at an endpoint participating ISX/ISP provider, said 

1 9 routers functioning to implement a predetermined private tunnel data path coupling 

20 a router of said first ISX/ISP to a router of said endpoint participating ISX/ISP 

2 1 provider through said routers of said participating ISX/ISP providers; 

22 a destination router including a channel service unit coupled to or part of 

2 3 said destination router, said destination router coupled through said channel 

2 4 service unit and a second dedicated line to said router of said endpoint ISX/ISP 

25 provider; 

26 a destination firewall circuit having a WAN interface coupled to said 

27 destination router directly or through a local area network and having a second 

28 port for coupling directly or through a local area network to a device for which 

29 communication across said wide area network is desired, said firewall 
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30 functioning to encrypt the payloads of upstream WAN packets being transmitted 

3 1 through said WAN interface to said destination router for transmission to said 

3 2 source router via said private tunnel using the same encryption method used by 

3 3 said source firewall and the same user definable key or keys used by said 

34 source firewall circuit, and for decrypting any incoming packets from said source 

3 5 router arriving from said endpoint participating ISX/ISP provider using the same 

36 encryption protocol used by said source firewall and the same user definable key 

37 or keys used by said source firewall circuit and transmitting the decrypted 

38 packets to said second device. 

1 2. (cancelled) A process for launching downstream AlterWAN packets 

2 addressed to an AlterWAN destination into a private tunnel coupling two AlterWAN 

3 destinations using the internet as a backbone and for launching non-AlterWAN packets 

4 into a normal internet traffic routing data path, comprising the steps: 

5 receiving at a source firewall an incoming downstream wide area 

6 network packet from a workstation or other device at a first customer location 

7 said incoming downstream wide area network packet being either addressed to 

8 an AlterWAN destination or not an AlterWAN packet; 

9 at said source firewall, using the destination address in said incoming 

1 0 downstream wide area network packet to determine if said packet is addressed 

11 to an AlterWAN destination coupled to said source firewall by a private tunnel 

1 2 using the internet as a backbone (hereafter referred to as an AlterWAN packet) 

13 or is addressed to some non-AlterWAN website or location on the internet 

1 4 (hereafter referred to as a non-AlterWAN packet); 

1 5 if said packet is an AlterWAN packet, encrypting at said source firewall 

1 6 the payload portion thereof and forwarding the encrypted AlterWAN packet to a 

1 7 source router; 

1 8 if said packet is a non-AlterWAN packet, at said source firewall, 

1 9 forwarding said non-AlterWAN packet to said source router without encrypting 

20 the payload portion thereof; 

2 1 at said source router, converting both said AlterWAN packets and said 

2 2 non-AlterWAN packets into signals suitable for transmission on a dedicated 
2 3 telephone line or other transmission medium coupling said source router to a 
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2 4 specially selected first ISX/ISP provider and transmitting said signals to said 

2 5 specially selected ISX/ISP provider, said specially selected ISX/ISP provider being 

2 6 selected either because their routing tables are such that AlterWAN packets will 

27 naturally be routed along high bandwidth, low hop-count data paths to the next 

28 ISX/ISP provider in said virtual private network or because the routing tables of 

2 9 the router of said first ISX/ISP provider have been altered to insure that AlterWAN 

30 packets get routed along high bandwidth, low hop-count data paths to the next 

3 1 ISX/ISP provider along said private tunnel. 

1 3. (Cancelled) An apparatus comprising: 

2 a dedicated data path for coupling to a specially selected first participating 

3 ISX/ISP provider of internet access; 

4 a firewall circuit having a first port for coupling directly or through a local 

5 area network to one or more devices for which communication over a wide area 

6 network using the internet as a backbone is desired, and having a second port, 

7 said firewall functioning to to use the destination addresses in the headers of 

8 each packet received from said one or more devices to distinguish between 

9 AlterWAN packets which are packets addressed to destination devices coupled 

I 0 to said firewall circuit via a private tunnel through the internet, and conventional 

I I packets which are packets not addressed to destination devices coupled to said 
1 2 firewall circuit via a private tunnel through the internet, said firewall circuit 

1 3 functioning to encrypt the payloads of outgoing AlterWAN packets using one or 

1 4 more predetermined keys and an encryption algorithem, and sending said 

1 5 encrypted AlterWAN packets to said source router via said second port, and 

1 6 functioning to forward any conventional packets to said source router, and 

1 7 functioning to decrypt any incoming AlterWAN packets arriving from said source 

1 8 router using the the same encryption algorithms and one or more predetermined 

1 9 keys which were used to encrypt the packets at the location from which they 

20 were sent; 

2 1 a source router having an input coupled to said second port of said 

22 firewall circuit either directly or by a local area network connection, and having a 

2 3 channel service unit having an output coupled to said dedicated data path, said 
24 channel service unit functioning to convert digital data packets received from said 
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25 firewall circuit into signals suitable for transmission over whatever type of 

2 6 transmission medium is selected for said dedicated data path, and for converting 

27 signals received from said dedicated data path into data packets, said source 

28 router for transmitting both AlterWAN and non-AlterWAN packets over said 

2 9 dedicated data path to said specialty selected first participating ISX/ISP provider 

30 where AlterWAN packets will be routed via said private tunnel and specially 

3 1 seleted ISX/ISP providers to their destination and non-AlterWAN packets will be 

3 2 routed along paths on the internet other than said private tunnel. 
33 

1 4. (Cancelled) A method of designing and implementing a wide area network 

2 using the internet as a backbone, comprising the steps: 

3 1) selecting source and destination sites that have devices that need to be 

4 connected by a wide area network; 

5 2) examining the ISX/ISP internet service providers that exist between said 

6 source and destination sites and selecting two or more of such ISX/ISP providers 

7 through which data passing between said source and destination sites will be 

8 routed, said selection being based upon how many hops the routers at those 

9 sites will cause packets travelling between said source and destination sites to 

I 0 take and whether the average available bandwidth of the data paths along which 

I I the packets travelling between said source and destination sites will travel is 
1 2 substantially greater than the worst case bandwidth consumption of traffic 

1 3 between said source and destination sites; 

1 4 3) coupling a source firewall to the devices at said source site and 

1 5 configuring said firewall to examine the destination addresses of packets 

1 6 received from said devices at said source site and encapsulate each packet 

1 7 addressed to any device at said destination site in an internet protocol packet, 

1 8 hereafter referred to as an AlterWAN packet, said AlterWAN packet having as its 

1 9 destination address the address of an untrusted port of a destination firewall at 

20 said destination site and having the original IP packet as its payload, said source 

2 1 firewall being configured to encrypt the payload portions of all said AlterWAN 

2 2 packets using a predetermined encryption algorithm and one or more encryption 
2 3 keys but not to encapsulate or encrypt the payload portions of any packets 

24 received from said devices at said source site which are not addressed to any 
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2 5 device at said destination site, and configuring said source firewall to recognize 

2 6 any incoming AlterWAN packets which have as their destination addresses the IP 

27 address of the untrusted side of said source firewall and to strip off the 

28 AlterWAN packet headers and decrypt the payload portion of each said 

2 9 AlterWAN packet to recover the original IP packet transmitted from said 

30 destination site using the same encryption algorithm and the same encryption key 

3 1 or keys used to encrypt the payload portions of said AlterWAN packets at said 

3 2 destination site and for outputting said recovered the original IP packet to said 

33 devices at said source site, said source firewall having an untrusted port; 

34 4) coupling a source router to receive said encrypted and non-encrypted 
3 5 packets from said untrusted port of said source firewall and to convert them in a 
3 6 channel service unit to signals suitable for transmission over a first dedicated 

3 7 local loop connection; 

38 5) contracting to establish said first dedicated local loop connection 

39 between the output of said source router at which said signals appear and a first 

40 participating ISX/ISP provider in the group of ISX/ISP providers selected in step 2; 

4 1 6) providing a destination router at said destination site having a channel 

42 service unit which functions to receive from a second dedicated local loop 

43 connection downstream signals encoding both encrypted AlterWAN packet and 

44 conventional IP packets and converting said signals back into the original digital 

45 packet form and outputting the recovered downstream packets at a firewall port, 

46 and said destination router configured to receive upstream AlterWAN and 

47 conventional packets and convert them into signals suitable for transmission on 

48 said second dedicated data path coupling said destination router to an endpoint 

49 participating ISX/ISP provider in the group of ISX/ISP providers selected in step 2 

50 and transmitting said signals on said second dedicated local loop connection; 

5 1 7) contracting to provide a second dedicated local loop connection 
5 2 connecting the input of said destination router to said endpoint participating 

5 3 ISX/ISP provider, said second dedicated local loop connection having sufficiently 

54 high bandwidth to handle the worst case traffic volume; 

55 8) providing a destination firewall having an untrusted port having an IP 

56 address coupled to said firewall port of said destination router to receive said 

57 recovered digital packets, and configuring said destination firewall to recognize 
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58 as AlterWAN packets incoming recovered packets having as their destination 

59 address the IP address of said destination firewall untrusted input port and to 

60 strip off the AlterWAN packet header and decrypt the payload portion of said 

6 1 AlterWAN packet using the same encryption algorithm and encryption key or keys 

62 that were used to encrypt the packet at said source firewall, and configuring said 

63 destination firewall to output the decrypted packets at an output coupled to 

64 devices at said destination site, and configuring said destination firewall to 

65 examine the destination addresses of upstream IP packets received from said 

66 devices at said destination site and encapsulate each upstream IP packet 

67 addressed to any device at said source site in another IP packet, hereafter 

68 referred to as an AlterWAN packet, said AlterWAN packet having as its 

69 destination address the IP address of an untrusted port of said source firewall at 

70 said source site and having the original IP packet as its payload, said destination 

7 1 firewall being configured to encrypt the payload portions of all said AlterWAN 

7 2 packets using a predetermined encryption algorithm and one or more encryption 

73 keys but not to encapsulate or encrypt the payload portions of any IP packets 

74 received from said devices at said destination site which are not addressed to 
7 5 any device at said source site (hereafter referred to as conventional packets), 
7 6 and said destination firewall configured to transmit said encrypted AlterWAN 

77 packets and said conventional packets to said destination router via said 

78 untrusted port. 

1 5. (Cancelled) A wide area network using the internet as a backbone, 

2 comprising: 

3 a first dedicated line coupled to a first participating ISX/ISP provider of 

4 internet access; 

5 a source router having a channel service unit having an output coupled to 

6 said first dedicated line; 

7 a source firewall circuit having a first port for coupling directly or through 

8 a local area network to a first device for which communication over said wide 

9 area network (hereafter WAN) is desired, and having a WAN interface coupled to 

I 0 said source router directly or through a local area network, said source firewall 

I I functioning to encrypt the payloads of downstream WAN packets being 
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1 2 transmitted via the WAN interface to said source router using a first encryption 

1 3 method having a first set of user definable keys which may be only one key, and 

1 4 for decrypting the payloads of any incoming upstream WAN packets arriving from 

1 5 said first participating ISX/ISP using a second encryption method which is 

1 6 different than said first encryption method and a second set of user definable 

1 7 keys which are different than the first set of user definable keys were used to 

1 8 encrypt the downstream WAN packets; 

1 9 one or more routers of other participating ISX/ISP providers of internet 

20 services including a router at an endpoint participating ISX/ISP provider, said 

2 1 routers functioning to implement a predetermined private tunnel data path coupling 

22 a router of said first ISX/ISP to a router of said endpoint participating ISX/ISP 

23 provider through said routers of said participating ISX/ISP providers; 

24 a destination router including a channel service unit coupled to or part of 

2 5 said destination router, said destination router coupled through said channel 

2 6 service unit and a second dedicated line to said router of said endpoint ISX/ISP 

2 7 provider; 

28 a destination firewall circuit having a WAN interface coupled to said 

29 destination router directly or through a local area network and having a second 

30 port for coupling directly or through a local area network to a device for which 

3 1 communication across said wide area network is desired, said destination 

3 2 firewall functioning to encrypt the payloads of upstream WAN packets being 

3 3 transmitted through said WAN interface to said destination router for transmission 

34 to said source router via said private tunnel using the same encryption method 

35 and user definable key or keys used by said source firewall to decrypt upstream 
3 6 WAN packets, and for decrypting any incoming downstream WAN packets from 
3 7 said source router arriving from said destination router via the router of said 

3 8 endpoint participating ISX/ISP provider using the same encryption method and 

39 encryption key or keys used by said source firewall to encrypt downstream WAN 

40 packets and transmitting the decrypted packets to said second device. 

1 6. (New) A private, secure wide area network between a source site and a 

2 destination site using the internet as a backbone, comprising: 

3 a first dedicated local loop connection providing a signal path to a router of a 
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4 source ISX/ISP provider of internet access; 

5 a source router located at a source site and having a channel service unit 

6 having an output coupled to said first dedicated local loop connection; 

7 a source firewall circuit located at a source site and having a first port for 

8 coupling directly or through a local area network to one or more computers or other 

9 devices at said source site for which communication over said private, secure wide 

I 0 area network (hereafter WAN) is desired, and having a WAN interface coupled to 

I I said source router directly or through a local area network, said source firewall 
1 2 functioning to encapsulate any Internet Protocol packets hereafter IP packets 

13 transmitted from said first computer or other device which have a destination Internet 

1 4 Protocol address (hereafter IP address) which is one of a set of IP addresses of 

1 5 computers or other devices at a destination site, said encapsulation being into the 

1 6 payload sections of IP packets having as their destination address the IP address of a 

1 7 firewall at said destination site and for encrypting said payload sections of said 

1 8 AlterWAN packets using any encryption method having a key, and transmitting said 

1 9 AlterWAN packets to said source router, where IP packets having as their destination 

20 address the IP address of a computer or other device at either said source site or 

2 1 said destination site and having an encrypted IP packet transmitted from a computer 

22 or other device at said source site or said destination site as a payload being defined 

2 3 and hereafter referred to as AlterWAN packets, but for not encapsulating into 

24 AlterWAN packets any IP packets transmitted by said first computer or other device 

2 5 which do not have as their destination address an IP address which is one of said IP 

26 addresses of computers or other devices at said destination site, and for receiving 

27 incoming IP packets from various sources including computers and devices at said 

28 destination site via said source router and for recognizing AlterWAN packets among 

29 these IP packets and decrypting the payloads of said AlterWAN packets using the 

30 same encryption method and key or keys that were used to encrypt the AlterWAN 

3 1 packets to recover said IP packets that were encapsulated in said AlterWAN packets 

3 2 and transmitting at least said recovered IP packets to said one or more computers or 

33 devices at said source site; 

34 one or more routers of other participating ISX/ISP providers of internet 

3 5 services besides said source ISX/ISP provider including a router at an endpoint 

3 6 participating ISX/ISP provider, said routers of said source and endpoint ISX/ISP 
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3 7 providers and said other participating ISX/ISP providers functioning to implement a 

3 8 predetermined private tunnel data path for said AlterWAN packets coupling a router of 

3 9 said source ISX/ISP provider to a router of said endpoint participating ISX/ISP provider 

40 through said routers of said other participating ISX/ISP providers, said source and 

4 1 endpoint ISX/ISP providers and said other ISX/ISP providers being providers of 

42 internet services who have contracted to provide and who have been pretested to 

43 verify that they do in fact provide a low hop count portion of a data path between 

44 said source site and said destination site for said AlterWAN packets with an average 

45 available bandwidth along said portion of said data path travelled by said AlterWAN 

46 packet which each ISX/ISP provider provides which substantially exceeds the worst 

47 case bandwidth consumption of AlterWAN packet traffic between said source site 

48 and said destination site; 

49 a destination router including a channel service unit coupled to or part of said 

50 destination router, said destination router coupled through said channel service unit 

5 1 and a second dedicated local loop connection to said router of said endpoint ISX/ISP 

52 provider; 

53 a destination firewall circuit having a WAN interface coupled to said 

54 destination router directly or through a local area network and having a second port 

5 5 for coupling directly or through a local area network to a one or more computers or 

56 devices for which communication across said private, secure wide area network is 

57 desired, said destination firewall functioning to encapsulate into the payload sections 

58 of AlterWAN packets IP packets transmitted from said one or more computers or 

59 devices at said destination site and having as their destination addresses an IP 

60 address of said one or more computers or devices at said source site, and 

6 1 functioning to encrypt the payloads of said AlterWAN packets and transmit said 

62 AlterWAN packets to said destination router, but for not encapsulating into AlterWAN 

63 packets any IP packets transmitted from said one or more computers or devices at 

64 said destination site which do not have as their destination address an IP address of 

6 5 said one or more computers or devices at said source site, and for receiving IP 

66 packets from various sources including said one or more computers or devices at 

67 said source site via said destination router, and functioning to recognize AlterWAN 

68 packets among said received IP packets and decrypt the payload sections of said 

69 AlterWAN packets to recover the original IP packets using the same encryption 
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71 


70 


73 


72 


protocol used by said source firewall to encrypt said payload sections of said 
AlterWAN packets and the same key or keys used by said source firewall and 
transmitting at least the decrypted IP packets recovered from AlterWAN packet to said 
one or more computers or devices at said destination site. 


7. (New) A process for sending AlterWAN data packets securely between a 


2 computer at a source site and a computer at a destination site so as to implement a Wide 

3 Area Network between said source and destination sites of a customer using the internet as 

4 a backbone but which is private and which only said customer can use while simultaneously 

5 launching non-AlterWAN packets into a normal internet traffic routing data path, comprising 

6 the steps: 

7 receiving at a source firewall incoming Internet Protocol packets (hereafter IP 

8 packets) from a computers at a source site of a customer, some of said IP packets 

9 having as their destination addresses an Internet Protocol address (hereafter IP 

I 0 address) of a computer at a destination site of said customer; 

I I at said source firewall, comparing the destination address in each said 

1 2 received IP packet to an IP address of a computer at said destination site of said 

1 3 customer, and if an IP packet has as its destination address the IP address of a 

1 4 computer at said destination site, concluding said IP packet is an AlterWAN packet 

1 5 payload which needs to be transmitted via a virtual private network over the internet 

1 6 to said computer at said destination site, but if said destination address of said 

1 7 received IP packet is not an IP address of a computer at said destination site, 

1 8 concluding said IP packet is nont an AlterWAN payload packet and needs to be routed 

1 9 as any other IP packet would be routed; 

20 if a received IP packet is an AlterWAN payload packet, encapsulating said 

2 1 AlterWAN payload packet into the payload section of an IP packet having as its 

2 2 destination address the IP address of a firewall at the destination end of said virtual 

23 private network (hereafter referred to as AlterWAN packet) and encrypting at said 

24 source firewall the payload portion of said AlterWAN packet using any encryption 
2 5 algorithm having a key which same encryption algorithm and key can be used by a 

26 firewall at said destination site to recover said AlterWAN payload packet, and 

27 forwarding said AlterWAN packet to a source router; 

28 if a received IP packet is not an AlterWAN payload packet.forwarding said 
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29 received IP packet which is not an AlterWAN payload packet (hereafter referred to as 

30 a non-AlterWAN packet) to said source router without encapsulating said non- 

3 1 AlterWAN packet into an AlterWAN packet; 

32 at said source router, converting both said AlterWAN packets and said non- 
3 3 AlterWAN packets into signals suitable for transmission on a dedicated local loop 
34 connection coupling said source router to a specially selected source participating 
3 5 ISX/ISP provider and transmitting said signals to said specially selected source 

3 6 participating ISX/ISP provider, said specially selected source participating ISX/ISP 

3 7 provider being selected either because their routing tables are such that AlterWAN 

38 packets will naturally be routed along high bandwidth, low hop-count data paths to 

3 9 next participating ISX/ISP provider in said virtual private network or because the 

40 routing tables of the router of said specially selected source participating ISX/ISP 

4 1 provider have been altered to insure that AlterWAN packets get routed along high 

42 bandwidth, low hop-count data paths to the next ISX/ISP provider along said virtual 

43 private network and wherein said source participating ISX/ISP provider and all other 

44 participating ISX/ISP providers whose routers route AlterWAN packets have 

45 contracted to provide a data path for said AlterWAN packets with an average 

46 available bandwidth which exceeds the worst case bandwidth consumption of 

47 AlterWAN packets traveling between said source site and said destination site of said 

48 customer. 

1 8. (New) An apparatus comprising: 

2 a dedicated data path for coupling signals to a specially selected first 

3 participating ISX/ISP provider of internet access; 

4 a first firewall circuit having a first port for coupling directly or through a local 

5 area network to one or more devices for which communication over a private wide 

6 area network between a customer's source site and destination site using the 

7 internet as a backbone is desired, and having a second port, said firewall functioning 

8 to use the destination addresses in the headers of each packet received from one or 

9 more devices at said source site to distinguish between conventional packets and 

1 0 AlterWAN payload packets, where AlterWAN payload packets are packets 

1 1 addressed to devices at said destination site or said source site, and wherein a 

1 2 computer at said destination site is coupled to a computer at said source site via a 
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1 3 second firewall circuit and a virtual private network tunnel through a public wide area 

1 4 network such as the internet terminating at said source site at said first firewall circuit 

1 5 and terminating at said destination site at said second firewall circuit, and wherein 

1 6 conventional packets are packets which are not addressed to devices at said 

1 7 destination site said first firewall circuit functioning to encapsulate said AlterWAN 

1 8 payload packets in the payload section of AlterWAN packets which are addressed to 

1 9 said second firewall circuit at said destination end of said virtual private network 

20 tunnel, and further functioning to encrypt the payloads of AlterWAN packets using 

2 1 one or more predetermined keys and an encryption algorithm, and said first firewall 

2 2 circuit further functioning to distinguish between incoming AlterWAN packets and 

2 3 conventional packets by comparing the destination addresses thereof to the address 

24 of said first firewall circuit and concluding that any incoming packets addressed to 

25 said first firewall circuit are AlterWAN packet and all packets addressed to one or 

26 more computers at said source site coupled to said first firewall circuit are 

27 conventional packets, and to decrypt the payload sections of any incoming AlterWAN 

2 8 packets using the same encryption algorithm and one or more predetermined keys 
29 which were used to encrypt the AlterWAN packets so as to recover the 

3 0 encapsulated AlterWAN payload packet; 

3 1 a source router having an input coupled to said second port of said firewall 

3 2 circuit either directly or by a local area network connection, and having a channel 

3 3 service unit having an output coupled to said dedicated data path, said router and 

34 channel service unit functioning to receive said AlterWAN packets and said 

3 5 conventional packets from said first firewall circuit and convert said packets into 

3 6 signals suitable for transmission over whatever type of transmission medium is 

37 selected for said dedicated data path, and for converting signals received from said 

3 8 dedicated data path into data packets, said source router for transmitting both 

39 AlterWAN packets and conventional packets over said dedicated data path to said 

40 specially selected first participating ISX/ISP provider where said AlterWAN packets 

41 will be routed via said virtual private network tunnel and specially selected 

42 participating ISX/ISP providers to said second firewall and non-AlterWAN packets will 

43 be routed along paths on the internet other than said virtual private network tunnel 

44 and wherein said first participating ISX/ISP provider and all said other ISX/ISP 

45 providers are providers who have contracted to and do in fact provide data paths for 
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46 AlterWAN packets which combine to form a low hop count data path with an average 

47 available bandwidth which substantially exceeds the worst case bandwidth 

48 consumption of AlterWAN packets traveling between said source site and said 

49 destination site. 

1 9. (New) A method of designing and implementing a wide area network using the 

2 internet as a backbone, comprising the steps: 

3 1 ) selecting source and destination sites that have computers or other 

4 devices (hereafter referred to simply as computers) that need to be connected by a 

5 wide area network; 

6 2) examining available ISX/ISP internet service providers that can route 

7 AlterWAN packets between said source and destination sites and selecting two or 

8 more of such ISX/ISP providers as participating ISX/ISP providers including at least a 

9 source ISX/ISP provider and a destination ISX/ISP provider through which AlterWAN 

I 0 packet data passing between said source and destination sites will be routed, said 

I I selection of said participating ISX/ISP providers being made so as to minimize the 
1 2 number of hops on the internet the routers at participating ISX/ISP providers wilt 

1 3 cause AlterWAN packets to take while traveling between said source and destination 

1 4 sites and so as to guarantee that the average available bandwidth of the data paths 

1 5 along which said AlterWAN packets traveling between computers at said source and 

1 6 destination sites will travel is substantially greater than the worst case bandwidth 

1 7 consumption of traffic between said source and destination sites; 
1 8 3) pretesting the ISX/ISP providers selected in step 2 by testing to verify the 

1 9 data path that an AlterWAN packets will take through the internet to verify that what 

20 the participating ISX/ISP providers promised to deliver will actually be delivered; 

2 1 4) contracting with said participating ISX/ISP providers to provide routing of 

2 2 AlterWAN packets so as to minimize the number of hops on the internet said 

23 AlterWAN packets need to take in traveling between said source and destination sites 

24 and so as to guarantee that the average available bandwidth along data paths 

25 AlterWAN packets must traverse to travel between said source and destination sites 

26 is substantially greater than the worst case bandwidth consumption of traffic 

27 between source and destination sites, and, if necessary, configuring data in routing 

28 tables of said participating ISX/ISP providers so as to minimize said number of hops 
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29 and guarantee said bandwidth contracted for when routing AlterWAN packets; 

30 5) contracting to establish a first dedicated local loop connection between the 

3 1 output of a source router at which said signals appear and said source ISX/ISP 

3 2 provider in the group of ISX/ISP providers selected in step 2, said first dedicated local 

33 loop connection having sufficiently high bandwidth to handle the worst case traffic 

34 volume in AlterWAN packets traveling between said source and destination sites; 

35 6) contracting to provide a second dedicated local loop connection connecting 
3 6 the input of a destination router to said destination ISX/ISP provider, said second 

3 7 dedicated local loop connection having sufficiently high bandwidth to handle the 

38 worst case traffic volume in AlterWAN packets traveling between said source and 

39 destination sites; 

40 7) coupling an untrusted port of a source firewall/virtual private network 

4 1 circuit (hereafter referred to as the source firewall) to a source router and coupling a 

42 trusted port of said source firewall to said device or devices at said source site and 

43 configuring said source firewall to examine the destination addresses of internet 

44 Protocol packets (hereafter IP packets) received from said devices at said source 

45 site and encapsulate each IP packet having a destination address which is the 

46 Internet Protocol address (hereafter IP address) of any device at said destination site 

47 as a payload portion in a second IP packet, hereafter referred to as an AlterWAN 

48 packet, said AlterWAN packet having as its destination address the IP address of an 

49 untrusted port of a destination firewall/virtual private network circuit (hereafter 

5 0 referred to as the destination firewall) at said destination site and having the original 

51 IP packet as its payload with portions of said AlterWAN packet other than said 

52 payload section being referred to herein as an AlterWAN packet header, said source 

53 firewall also being configured to encrypt the payload portions of all said AlterWAN 

54 packets using a predetermined encryption algorithm and one or more encryption keys 
5 5 but not to encapsulate or encrypt the payload portions of any packets received from 

56 said devices at said source site which do not have as their destination address the IP 

57 address of any device at said destination site (hereafter referred to as non AlterWAN 

58 packets), and configuring said source firewall to screen incoming IP packets so as to 

59 recognize any incoming AlterWAN packets which have as their destination 

60 addresses the IP address of the untrusted port of said source firewall and to strip off 

6 1 the AlterWAN packet headers and decrypt the payload portion of each said incoming 
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6 2 AlterWAN packet to recover the original IP packet transmitted from said destination 

63 firewall using the same encryption algorithm and the same encryption key or keys 

64 used to encrypt the pay load portions of said AlterWAN packets when they were 

65 transmitted from said destination firewall so as to recover the original IP packet 

66 transmitted to said destination firewall by a computer at said destination site, and for 

67 outputting said recovered original IP packet to said device or devices at said source 

68 site having the IP address which is the destination address of said original IP packet; 

69 8) coupling a source router to receive said encrypted AlterWAN packets and 

70 non-encrypted non-AlterWAN packets from said untrusted port of said source 

7 1 firewall and to convert said AlterWAN and non-AlterWAN packets in a channel 

72 service unit to signals suitable for transmission over said first dedicated local loop 
7 3 connection to said source ISX/ISP provider; 

74 9) providing a destination router at said destination site having a firewall port 

75 coupled to said untrusted port of said destination firewall and having a channel 

76 service unit coupled to said destination ISX/ISP provider via said second dedicated 

77 local loop connection and which is configured to receive from said second dedicated 

78 local loop connection downstream signals encoding both encrypted AlterWAN 

79 packets and conventional non AlterWAN IP packets and converting said signals back 

80 into the original digital IP packet form and configuring said destination router to output 

81 said recovered downstream IP packets at said firewall port coupled to said untrusted 

82 port of said destination firewall, and said destination router configured to receive 

83 upstream AlterWAN packets and conventional non AlterWAN packets and convert 

84 both types of said packets into signals suitable for transmission on said second 

85 dedicated local loop connection coupling said destination router to said participating 

86 destination ISX/ISP provider in the group of participating ISX/ISP providers selected in 

87 step 2 and transmitting said signals on said second dedicated local loop connection; 

88 10) providing a destination firewall having an untrusted port coupled to said 

89 firewall port of said destination router so as to receive said recovered digital IP 

90 packets, and configuring said destination firewall to recognize as AlterWAN packets 

9 1 incoming recovered IP packets having as their destination address the IP address of 

92 said destination firewall untrusted port and further configured to strip off the 

9 3 AlterWAN packet header of each said AlterWAN packet and decrypt the payload 

94 portion of each said AlterWAN packet using the same encryption algorithm and 
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9 5 encryption key or keys that were used to encrypt the AlterWAN packet at said 

96 source firewall so as to recover the original IP packet encapsulated in each AlterWAN 

9 7 packet, and configuring said destination firewall to output the decrypted original IP 

98 packets at an output coupled to a device or devices at said destination site, and 

99 configuring said destination firewall to examine the destination addresses of 

1 00 upstream !P packets received from a device or devices at said destination site and 

1 0 1 encapsulate each upstream IP packet addressed to any computer or other device at 

I 02 said source site as the pay load portion of in another IP packet, hereafter referred to 

103 as an upstream AlterWAN packet (an AlterWAN packet traveling from said destination 

1 04 site toward said source site), said AlterWAN packet having as its destination address 

105 the IP address of said untrusted port of said source firewall at said source site and 

1 06 having the original IP packet as its payload, said destination firewall being configured 

107 to encrypt the payload portions of all said upstream AlterWAN packets using a 

1 08 predetermined encryption algorithm and one or more encryption keys but not to 

1 09 encapsulate or encrypt the payload portions of any non AlterWAN IP packets 

I I 0 received from said device or devices at said destination site which do not have as 

I I I their destination addresses an IP address of any device at said source site (hereafter 
1 1 2 referred to as conventional non AlterWAN packets), and said destination firewall 

1 1 3 configured to transmit said encrypted upstream AlterWAN packets and said 

1 1 4 conventional non AlterWAN packets to said destination router via said untrusted port. 

1 10. (New) A private wide area network connecting a customer source site to a 

2 customer destination site and using the internet as a backbone, comprising: 

3 a first dedicated data path coupled to a first participating ISX/ISP provider of 

4 internet access; 

5 a source router having a channel service unit having an output coupled to said 

6 first dedicated data path; 

7 a source firewall circuit having a first port for coupling directly or through a 

8 local area network to one or more devices at a customer source site, and having an 

9 untrusted port coupled to said source router directly or through a local area network, 

1 0 said untrusted port of said source firewall having an Internet Protocol address 

1 1 (hereafter IP address), said source firewall functioning to receive Internet Protocol 
1 2 packets (hereafter IP packets) from said one or more devices at said customer 
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1 3 source site which are addressed to one or more devices at a customer destination 

1 4 site (hereafter AiterWAN pay load packets) and other IP packets addressed to other 

1 5 locations on the internet (hereafter conventional IP packets), and for encapsulating 

1 6 said AiterWAN pay load packets as the payload sections of IP packets addressed to 

17 an IP address of an untrusted port of a destination firewall at said customer 

1 8 destination site (hereafter outgoing AiterWAN packets) and functioning to encrypt the 

1 9 payloads of said outgoing AiterWAN packets using a first encryption method known 

20 to a destination firewall and using a key or key known to said destination firewall and 

2 1 which may be user definable, and for receiving incoming IP packets and comparing 

22 the destination addresses of said incoming IP packets to said IP address of said 

23 untrusted port of said source firewall circuit, and decrypting the payload sections of 

24 any incoming IP packets having as their destination address the IP address of said 

2 5 untrusted port of said source firewall circuit (hereafter incoming AiterWAN packets) 

26 using whatever encryption method and key or keys which were used to encrypt 

27 them so as to recover the encapsulated AiterWAN payload packet from each 

28 incoming AiterWAN packet, and transmitting each recovered AiterWAN payload 

29 packet to a device at said customer source site to which said AiterWAN payload 

30 packet is addressed; 

3 1 one or more routers of other participating ISX/ISP providers of internet 

3 2 services including a router at an endpoint participating ISX/ISP provider, said routers 

33 of said ISX/ISP providers functioning to implement a low hop count data path in the 

34 form of a virtual private network tunnel through the internet coupling one or more 
3 5 devices at said customer source site to one or more computers at said customer 

36 destination site, said low hop count data path having an average available bandwidth 

37 which is substantially greater than the worst case bandwidth consumption of 

38 AiterWAN packets traveling between said customer source site and said customer 

39 destination site; 

40 a destination router including a channel service unit coupled to or part of said 

4 1 destination router, said destination router coupled through said channel service unit 

42 and a second dedicated datapath to said router of said endpoint participating ISX/ISP 

43 provider; 

44 a destination firewall circuit having an untrusted port having an IP address to 

45 which said outgoing AiterWAN packets are addressed, said untrusted port coupled to 
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46 said destination router directly or through a local area network and having a second 

47 port for coupling directly or through a local area network to one or more devices at 

48 said customer destination site, said destination firewall circuit functioning to receive IP 

49 packets from said one or more devices at said customer destination site which are 

5 0 addressed to one or more devices at said customer source site (hereafter AlterWAN 

5 1 payload packets) and functioning to receive other conventional IP packets, and for 

5 2 encapsulating said AlterWAN payload packets as the payload sections of AlterWAN 

5 3 packets addressed to said IP address of an untrusted port of said source firewall 

54 circuit at said customer source site (hereafter outgoing AlterWAN packets) and 

5 5 functioning to encrypt the payloads of said outgoing AlterWAN packets using an 

56 encryption method known to said source firewall and a key or keys known to said 

57 source firewall and for receiving incoming IP packets and comparing the destination 

5 8 addresses of said incoming IP packets to said IP address of said untrusted port of 

59 said destination firewall circuit, and decrypting the payload sections of any incoming 

60 IP packets having as their destination address the IP address of said untrusted port of 

6 1 said destination firewall circuit (hereafter incoming AlterWAN packets) using 

62 whatever encryption method and key or keys which were used to encrypt said 

63 incoming AlterWAN packets so as to recover the encapsulated AlterWAN payload 

64 packet from each incoming AlterWAN packet, and transmitting each recovered 

6 5 AlterWAN payload packet to the device to which it is addressed at said customer 
66 destination site. 
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